Replication Through Removable Media

Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible.

Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. [1] [2] The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. [3] [4] [5] [6] [7] [8] The plant has since checked for infection and cleaned up more than 1,000 computers. [9] An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. [10]

ID: T0847
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: None
Version: 1.0
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S0608 Conficker

Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network. [11] Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility. [4]

S0603 Stuxnet

Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. [12] The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. [13]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0013 Field I/O
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0942 Disable or Remove Feature or Program

Consider the disabling of features such as AutoRun.

M0934 Limit Hardware Installation

Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.

M0928 Operating System Configuration

Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.

Detection

ID Data Source Data Component Detects
DS0016 Drive Drive Creation

Monitor for newly constructed drive letters or mount points to removable media.

DS0022 File File Access

Monitor for files accessed on removable media, particularly those with executable content.

File Creation

Monitor for newly constructed files copied to or from removable media.

DS0009 Process Process Creation

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.

References